Bug#333734: marked as done (curl: Buffer overflow in NTLM authentication)

Fri, 14 Oct 2005 05:18:35 -0700 

Your message dated Fri, 14 Oct 2005 05:02:08 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#333734: fixed in curl 7.15.0-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 13 Oct 2005 13:03:01 +0000
>From [EMAIL PROTECTED] Thu Oct 13 06:03:01 2005
Return-path: <[EMAIL PROTECTED]>
Received: from (vserver151.vserver151.serverflex.de) [193.22.164.111] 
        by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
        id 1EQ2jd-0007PT-00; Thu, 13 Oct 2005 06:03:01 -0700
Received: from wlan-client-003.informatik.uni-bremen.de ([134.102.116.4] 
helo=localhost.localdomain)
        by vserver151.vserver151.serverflex.de with esmtpsa 
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
        (Exim 4.50)
        id 1EQ2jY-0004SF-0g
        for [EMAIL PROTECTED]; Thu, 13 Oct 2005 15:02:56 +0200
Received: from jmm by localhost.localdomain with local (Exim 4.54)
        id 1EQ2kI-0004qE-KB; Thu, 13 Oct 2005 15:03:42 +0200
Content-Type: multipart/mixed; boundary="===============1069176351=="
MIME-Version: 1.0
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: curl: Buffer overflow in NTLM authentication
X-Mailer: reportbug 3.17
Date: Thu, 13 Oct 2005 15:03:42 +0200
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 134.102.116.4
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond 
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02

This is a multi-part MIME message sent by reportbug.

--===============1069176351==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: curl
Version: 7.14.1-5
Severity: grave
Tags: security
Justification: user security hole

Another buffer overflow has been found in curl's NTLM authentication
code. (This one is different from CAN-2005-0490 and doesn't seem to
have a CVE assignment yet). Please see 
http://www.mail-archive.com/wget%40sunsite.dk/msg08294.html
for more information. The vulnerable code is almost identical
to wget. For your reference I've attached the extracted fix from
the latest wget release. The actual fix applies to curl's
Curl_output_ntlm() function as well, but needs to be adapted to
the appropriate CURLcode definition for an error situation like
this instead of returning NULL.

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc1
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages curl depends on:
ii  libc6                         2.3.5-6    GNU C Library: Shared libraries an
ii  libcomerr2                    1.38-2     common error description library
ii  libcurl3                      7.14.1-5   Multi-protocol file transfer libra
ii  libidn11                      0.5.18-1   GNU libidn library, implementation
ii  libkrb53                      1.3.6-5    MIT Kerberos runtime libraries
ii  libssl0.9.8                   0.9.8-2    SSL shared libraries
ii  zlib1g                        1:1.2.3-4  compression library - runtime

curl recommends no packages.

-- no debconf information

--===============1069176351==
Content-Type: text/x-c; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="wget-ntlm-auth-bufferoverflow.diff"

diff -Naur wget-1.10.1/src/http-ntlm.c wget-1.10.2/src/http-ntlm.c
--- wget-1.10.1/src/http-ntlm.c 2005-05-10 23:16:53.000000000 +0200
+++ wget-1.10.2/src/http-ntlm.c 2005-10-13 10:52:21.000000000 +0200
@@ -526,6 +526,11 @@
     size=64;
     ntlmbuf[62]=ntlmbuf[63]=0;
 
+    /* Make sure that the user and domain strings fit in the target buffer
+       before we copy them there. */
+    if(size + userlen + domlen >= sizeof(ntlmbuf))
+      return NULL;
+    
     memcpy(&ntlmbuf[size], domain, domlen);
     size += domlen;


--===============1069176351==--

---------------------------------------
Received: (at 333734-close) by bugs.debian.org; 14 Oct 2005 12:08:36 +0000
>From [EMAIL PROTECTED] Fri Oct 14 05:08:36 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
        id 1EQOGG-0000zk-00; Fri, 14 Oct 2005 05:02:08 -0700
From: Domenico Andreoli <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#333734: fixed in curl 7.15.0-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Fri, 14 Oct 2005 05:02:08 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3

Source: curl
Source-Version: 7.15.0-1

We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive:

curl_7.15.0-1.diff.gz
  to pool/main/c/curl/curl_7.15.0-1.diff.gz
curl_7.15.0-1.dsc
  to pool/main/c/curl/curl_7.15.0-1.dsc
curl_7.15.0-1_i386.deb
  to pool/main/c/curl/curl_7.15.0-1_i386.deb
curl_7.15.0.orig.tar.gz
  to pool/main/c/curl/curl_7.15.0.orig.tar.gz
libcurl3-dbg_7.15.0-1_i386.deb
  to pool/main/c/curl/libcurl3-dbg_7.15.0-1_i386.deb
libcurl3-gnutls-dev_7.15.0-1_i386.deb
  to pool/main/c/curl/libcurl3-gnutls-dev_7.15.0-1_i386.deb
libcurl3-gnutls_7.15.0-1_i386.deb
  to pool/main/c/curl/libcurl3-gnutls_7.15.0-1_i386.deb
libcurl3-openssl-dev_7.15.0-1_i386.deb
  to pool/main/c/curl/libcurl3-openssl-dev_7.15.0-1_i386.deb
libcurl3_7.15.0-1_i386.deb
  to pool/main/c/curl/libcurl3_7.15.0-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Domenico Andreoli <[EMAIL PROTECTED]> (supplier of updated curl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 14 Oct 2005 13:32:06 +0200
Source: curl
Binary: libcurl3-dbg libcurl3 libcurl3-gnutls-dev libcurl3-openssl-dev 
libcurl3-gnutls curl
Architecture: source i386
Version: 7.15.0-1
Distribution: unstable
Urgency: low
Maintainer: Domenico Andreoli <[EMAIL PROTECTED]>
Changed-By: Domenico Andreoli <[EMAIL PROTECTED]>
Description: 
 curl       - Get a file from an HTTP, HTTPS, FTP or GOPHER server
 libcurl3   - Multi-protocol file transfer library
 libcurl3-dbg - libcurl compiled with debug symbols
 libcurl3-gnutls - Multi-protocol file transfer library
 libcurl3-gnutls-dev - Development files and documentation for libcurl
 libcurl3-openssl-dev - Development files and documentation for libcurl
Closes: 329313 333609 333734
Changes: 
 curl (7.15.0-1) unstable; urgency=low
 .
   * New upstream release:
     - fixed user+domain name buffer overflow in the NTLM code
       (CAN-2005-3185, closes: #333734).
     - libcurl3-*-dev packages now depend on libkrb5-dev (closes: #333609).
     - improved docs about curl_easy_setopt() and ERRORBUFFER (closes: #329313).
Files: 
 7e9ef85b93c465bfa05a46f18aa6fb11 915 web optional curl_7.15.0-1.dsc
 02bd72f1458c0cc802b33808fd0afe75 1751006 web optional curl_7.15.0.orig.tar.gz
 85b80928ff566c773e23dbe4a1b7f071 181051 web optional curl_7.15.0-1.diff.gz
 d77e7d65b8c0279cc205ade400d6b2e2 162012 web optional curl_7.15.0-1_i386.deb
 7b9f98f23a13a82ae477a01b4202483d 159984 libs optional 
libcurl3_7.15.0-1_i386.deb
 8e36ba8d519df07cebc79c859c3d57a9 154400 libs optional 
libcurl3-gnutls_7.15.0-1_i386.deb
 cf7d6d6a8e1cc711c0c7e42c784ad625 702364 libdevel optional 
libcurl3-openssl-dev_7.15.0-1_i386.deb
 27e16eb5d4f38171aa900548fb69b926 696068 libdevel optional 
libcurl3-gnutls-dev_7.15.0-1_i386.deb
 e5d8b60997cf1ca788d8d84a6f85de69 502602 libdevel extra 
libcurl3-dbg_7.15.0-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDT5s6BneQM6IOvFARAorKAJ90ShAwY2t9iQljfrXIMRXj08Lf2gCfRMPc
wF5hEaspfg2SscxHEhx1q6U=
=pMqK
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to